How should we start this article? Some of you have likely read a slew of “What GDPR is and what to do” articles at this point. So why read another?
Instead, begin working on how your organization can answer the following questions:
- How are you collecting and storing sensitive data?
- Where and with whom are you sharing it?
- What contracts are in place to ensure your partners who have access to your contact data are following the same practices of your company?
- How easily can you delete all the data you’ve collected on a prospect?
For the rest of you, let’s go back. Way back to where this story begins.
No Place to Dock
Around the same time Peter Jackson was wrapping production on what was to become one of the nerdiest trilogies of all time, the European Union was starting to worry that the United States was playing pretty fast and loose with consumer data online.
What resulted was the International Safe Harbor Principles. Basically, this established criteria around privacy practices that, if met, allowed a company to be certified. Certification was based on self-reporting. Pay your fee, say you are doing a bang-up job of protecting customer data, and you’re compliant.
And that’s where the story ends. The US Department of Commerce, and the EU joined hands and sang, “We are the World.” Not so much.
One major problem. Outside of saying they were compliant, many US companies weren’t technically doing anything to protect consumer data. After fifteen years of the supposed Safe Harbor, the European Court of Justice (ECJ) shook its collective head, sighed, and dismantled the Safe Harbor Principles. The US, they said, is not living up to its side of the deal. Many companies are continuing to process data without any integrity or encryption.
After Safe Harbor’s dissolution, the ECJ enacted the Privacy Shield. The purpose was to establish a better framework with a stricter compliance checklist for US companies. United States privacy law was just not good enough for the EU when it came to protecting citizens’ data online.
Of course, after the Privacy Shield was introduced, US companies immediately invested their revenue and resources in protecting customer and prospect data, leading the EU to move on to other issues and finally drop the matter of data protection altogether.
“The EU is still unhappy with how compliant US companies are today,” said Chris Arrendale, CEO of Inbox Pros and one of the smarter GDPR subject-matter experts in the US.* “The EU expects a minimum amount of privacy standards. And we’ve consistently failed to follow them.”
The Privacy Shield was an attempt to get the US to a place where the EU was comfortable passing data back and forth. Currently, the US is not considered compliant. This means that when GDPR hits in May of 2018, the EU officially is unsettled by the idea of a US company marketing to EU citizens online.
This is a body the regulates 22.8% of the global economy saying that the US isn’t up to code. But European companies aren’t necessarily killing it either.
“Many European B2B senders are planning to continue to buy lists,” said Arrendale. “They aren’t going to change until they’re slapped.”
That “slap” is more like a thermonuclear bomb hitting the side of your headquarters. Fees for a violation are set at 20MM Euro or 4% of global revenue. Let that sink in.
“Let’s say I’m in Europe, and I buy a box of cereal,” said Arrendale. “I later go online and sign up for their newsletter. I see their explicit opt-in form, fill it out, and start receiving the newsletter. A few weeks later, a different cereal company emails me some content. That could signal to me that the first cereal company is sharing my data with a third party.”
Under GDPR, that first cereal company is about to feel some pain.
As marketers, we’ve long known that prospect and customer contact info has value. What GDPR does is shift the value of that contact data—what was an estimation of intrinsic value has now become an exercise of calculating risk.
Historically, many organizations haven’t put much effort into protecting prospect data. The cost of protecting that type of data seems only worth the spend when a person pays into the organization as a customer.
A rather unkind analogy is that of the mafia. Although there are inestimable books, films, and TV shows about the mafia engaging in crime, the premise of the mafia was essentially an insurance company. You pay into it; they protect your assets. Your storefront, your bar, your family, or to connect the dots back to our topic, your personal data.
Taking this ill-advised metaphor even further, imagine if the government told the mafia that they had to protect everyone in the neighborhood regardless of if those people were paying for that protection. You can imagine how unfair Vito et al. would think that is.
Well, that’s kind of where we are today. And that’s what’s keeping CSOs and CIOs up at night. Once the sour grapes around having to take on data risk without first taking in revenue dissipate, the next realization is, “How the hell do we do this?”
Let’s get something out of the way. Double opt-in is not GDPR.
“Everybody can update a form or explicitly opt in their existing list,” said Arrendale. “But when it comes to privacy impact assessments, the right to be forgotten, and data governance/access, that’s the heart of why people are freaked out. How data is processed and accessed and protected—that’s scaring people.”
Explicit opt-in is absolutely a part of GDPR, but it’s the accoutrements. It’s the pickle on your gourmet hamburger. It’s the least-expensive act of compliance; though that’s no excuse to be lazy about it.
“No, checked boxes or pre-checked boxes won’t fly for landing pages anymore,” said Arrendale.
And the opt-in issue has farther-reaching effects than just a simple form strategy.
Case in point, have you tried to buy an email list in Canada lately?
Like aggressive tax cuts for the wealthy, list buying as we know it is going to be a decidedly American practice compared to the rest of the developed world. It will eventually dry up in the EU.
But here’s the silver lining. Explicit opt-in has been the best practice for years, and not because it’s nicer to prospects. It’s because there’s no better way to exclude non-engagers in your programs. Can you imagine what your engagement metrics might look like if everyone in your campaign wanted to be there?
“If I have explicit opt-in permission to email these people, then opens, clicks, and deliverability should be much higher,” said Arrendale. “Bounces and complaints should be nil.”
And that’s what we all want.
So where does this leave us when it comes to GDPR?
GDPR raises the bar for marketing oversees, but many US companies are still at risk, even if they don’t sell products in the EU.
“The majority of B2B enterprises are not getting the permission they need to explicitly email contacts,” said Arrendale. “I think many aren’t collecting the demographic data to ensure they don’t accidently have EU contacts in their campaigns.”
Some of the more risk-averse companies might want to stay out of the region altogether.
“I’ve heard some companies say that they just won’t email contacts in the EU,” said Arrendale. “The EU makes up roughly 23% of the global economy. That’s not going to work.”
Although we’ve known about GDPR since the spring of 2016, it’s easy to feel like many companies are still on the sidelines, stretching. Analyst groups like Forrester have similar insights:
“We predict that 80% of firms affected by GDPR will not comply with the regulation by May 2018. Of those noncompliant firms, 50% will intentionally not comply while the other 50% will try to comply but will fail.”
And it’s understandable. For organizations doing significant business in the EU, the list of to-dos to get compliant might seem too overwhelming to even begin.
According to Arrendale, there are some activities companies should be doing now to get the ball rolling (actually, these should have started in 2016, but, seriously, get started if you haven’t already).
1. Take a hard look at your marketing automation platform users.
“Take a deep dive into user rights and access,” said Arrendale. “How often are you going through Eloqua or Marketo and removing inactive users that should no longer have a login?”
2. Set up some type of breach notification system.
“Everyone knows and has known that they need better breach notification systems,” said Arrendale. “People still don’t have any breach notification alerts. But they need it.”
3. Finally, go out to your existing EU contact database and get as many of them to explicitly opt in before May 2018.
Above are surely small drops in the bucket compared to hiring a Data Protection Officer or Chief Privacy Officer, but they are smart steps in the right direction.
Although we’ve always pushed for explicit opt-in and following the tenets of permission-based marketing, ID and its partners are also ramping up efforts to help clients prepare for GDPR.
“The risk mitigation requirements of GDPR represent a new normal in our information economy” said Jim Ruberto, ID’s VP of Technology. “If GDPR seems like a lot, remember: the financial industry got PCI and DSS a decade and a half ago.”
According to Ruberto, CASL and GDPR are both examples of the regulatory bodies du jour trying desperately to catch up with innovation.
“The rapid emergence of sophisticated tools to capture personal information have caused a spike in the value of personal privacy, “said Ruberto. “It’s the intersection of capitalistic opportunism and a mainstream awareness of how valuable personal information is that necessitates the need to regulate.”
Demandbase, a leader in the ABM space and ID partner has also made significant moves to prepare.
“While GDPR is a European initiative, it will have a major impact on how U.S. companies treat privacy,” said Dustin Piper, Senior Manager, Agency Channels. “We have both European and U.S.-based global customers asking us about GDPR, and we continue to review the regulations to determine the impact on our business and for our customers. We recently hired a Chief Privacy Officer, Fatima Khan, with strong consumer protection and international experience to address this issue. Our solution for GDPR-compliant includes new technology, policies and best practices.”
The takeaway for all US companies that are doing or plan to do online marketing is that while GDPR only technically affects EU contacts, the way that regulations are moving is in the direction of strict permission-based tactics.
“In the US, we are following an opt-out law,” said Arrendale. “Canada and EU are opt-in. Can you imagine the shift for us? That’s where it’s headed. We just don’t know when.”
To chat GDPR, opt-in and form strategy, or anything data-related, please click here and marvel at our unchecked box. However, if your needs go beyond what a simple chat can satisfy (for instance, guidance and expertise around data and regulatory compliance), please get in touch with us ASAP. We have an impressively talented technology practice at ID.**
*this is my opinion, and as the author of this post, I’m entitled to recording it.
**this is not my opinion. It’s fact. They are the smartest people I’ve ever met.